zcash_proofs: Extract separate verifiers for proofs, spendAuthSigs, and bindingSig from SaplingVerificationContext

[str4d]

Currently, we have a single SaplingVerificationContext which we initialize, use to verify each Spend and Output description, and then call final_check to verify bindingSig. The reason for this workflow was that there is a data dependency on the entire transaction to fully verify it. However, this data dependency is only a blocker on bindingSig; the remaining components can be verified independently of the whole transaction (after computing sigHash), and also batch-verified.

Furthermore, the data dependency for bindingSig is effectively just on computing bvk. Once we have that, verification of bindingSig is equivalent to verifying a spendAuthSig.

We should extract the per-proof and per-signature verifiers from SaplingVerificationContext, so they can be run independently or batched. SaplingVerificationContext would continue to apply the various consensus checks on each spend and output, and final_check would return bvk, which could then be used to e.g. batch-verify bindingSig alongside the spendAuthSigs.

[str4d]

This is essentially how the orchard crate works, so we would follow its pattern here.

[daira]

Was this done? It is marked as blocking zcash/librustzcash#738 which is closed.